-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Openbanking Brazil: shall not allow refresh tokens
rotation feature.
#326
Comments
Hello @casfe03, IMO, there are two ways to satisfy the added requirement:
If we take the option 2, we need to enhance the current client policies. I have sent the PR for it. In this PR, I simulated the option 2 and make sure that it works well by running the arquillian integration test. @mposolda could you please tell me your opinion about which way is appropriate or other good way exists? |
Thank you @tnorimat |
@tnorimat , Do you have more information about this issue ? Because it's very important to FAPI-BRazil compliance tests. |
Hello @evertongodoi , |
@evertongodoi @casfe03 I think this issue can be resolved by keycloak/keycloak#12551. |
Thank you @tnorimat :) |
Thanks @tnorimat ! |
@tnorimat in the keycloak interface, where I can to enable the SuppressRefreshTokenRotationExecutor ? |
@evertongodoi
and applies it to a client by a policy of client policies like:
Please note that Keycloak 20 or later will include the PR. |
@tnorimat thanks to your response! But when I add a profile of client policies, the Keycloak return the error bellow. [org.keycloak.services.clientpolicy.ClientPoliciesUtil] (executor-thread-727) no executor provider found. providerId = suppress-refresh-token-rotation [org.keycloak.services.clientpolicy.DefaultClientPolicyManager] (executor-thread-727) VALIDATE SERIALIZE PROFILES FAILED :: error = proposed client profile contains the executor, which does not have valid provider, or has invalid configuration., error detail = NA |
@evertongodoi could you build the latest keycloak main branch and use it? The PR was included in the branch after the commit whose id is |
Hi,
Refresh token response samples:
Thank you for your assistance and insights regarding this matter. Best regards, |
@cmswopenfinance Hello. |
Description
Hi team, good night, how are you? There was a new update of the Openbanking Brazil SPEC and in this new spec item 17 was included: 17. shall not allow
refresh tokens
rotation feature. (https://github.com/OpenBanking-Brasil/specs-seguranca/blame/504e498c670001e98dd694c275b4855f2bc86387/open-banking-brasil-financial-api-1_ID3.md#L233)The entire discussion on the subject can be found on the Forum: https://bitbucket.org/openid/fapi/issues/456/
Attached is also the log of the new OpenID compliance test, the specific test is the fapi1-advanced-final-refresh-token 1KkvpgqdHWbyski 4.1.43 that failed
Basically what is expected is that with the disablement of the refresh_token rotation feature is that when a new access_token is requested for every unique consent or grant the same refresh_token is sent in the body
Basically for every unique consent or grant as it’s is known, there should be a unique refresh token issued. Every time that refresh token is used a new access token for that grant should be issued and the refresh token kept the same.
Different grants would have different refresh tokens.
Discussion
No response
Motivation
Support the new FAPI-BRazil compliance tests
Details
Basically for every unique consent or grant as it’s is known, there should be a unique refresh token issued. Every time that refresh token is used a new access token for that grant should be issued and the refresh token kept the same.
Different grants would have different refresh tokens.
The text was updated successfully, but these errors were encountered: